Forum Discussion
Using the SSL::renegotiate command
Hi,
I have a user who wants to use different SSL certificates for different domains, but they are all on the same virtual server.
What they want to do for example is:
client requests abc.example.com -> use certificate abc
client requests def.example.com -> use certificate def
I would think it can be done by using the SSL::renegotiate command, but since the first time the HTTP Request gets to the BIG-IP is after the initial SSL handshake, we would first need to use a wildcard certificate, right?
As for the rule is concerned, I think it would look something like this:
when HTTP_REQUEST {
if { [HTTP::host] contains "abc"} {
SSL::profile abc_profile
SSL::renegotiate
} elseif { [HTTP::host] contains "def"} {
SSL::profile def_profile
SSL::renegotiate
}
}
Any other suggestions or comments on how to write this rule?
Are there many users that actually use this command for this kind of "two step" negotiation?
Thanks
- Let me correct myself, I thought the rule would look like that, but since it seems that the SSL::profile is not a valid command for the HTTP_Request event, I need to find another way to do it. Any suggestions?
- I'm not 100% sure, but I don't think that there is a way to do this. The SSL::profile command is only valid in CLIENT_ACCEPTED (and SERVER_CONNECTED) as the wiki page says. Its usual use is to present a different SSL certificate based on L4 information (so you could, for example, have one certificate for internal users and another for external ones).
- Yeah, that's what I thought.
It is possible to use L4 information to select a profile, but difficult with l7 info...
It is however possible to use the the SSL::renegotiate command and require a customer certificate (or not) based on L7 info.
Along those lines I thought it must be possible to switch certificates based on L7 info.
